Phishing attacks target workers returning to the office


Emails with fake COVID-19 training materials are trying to trick employees into sharing their Microsoft credentials, says Check Point Research.


Image: GrafVishenka, Getty Images/iStockPhotos

The coronavirus has been a subject ripe for exploitation and abuse by cybercriminals with phishing campaigns, malicious websites, and phony apps. Now that organizations in some parts of the world are trying to reopen, recent phishing attacks observed by the cyber threat intelligence provider Check Point Research are targeting employees returning to the office.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium) 

In a Thursday blog post, Check Point noted that organizations welcoming back workers are enacting testing programs and workplace rules to guard against COVID-19 infections. To prepare employees, many companies are offering webinars and training videos to explain the new rules and requirements. Of course, cybercriminals are aware of this trend and are actively exploiting it.

In phishing campaigns observed by Check Point, attackers are deploying emails and malicious files masquerading as COVID-19 training materials. One particular email tries to trap the recipient into signing up for a phony employee training seminar. Clicking the link in the email actually leads the person to a malicious website designed to capture their Microsoft credentials.

Check Point Research

But the level of cyberattacks exploiting COVID-19 vary based on each region and its return-to-work status. Areas such as Europe and North America, where organizations are returning to work, have seen a decline in the number of malicious coronavirus-related attacks. Areas such as Latin America and South Africa that are still grappling with the virus are seeing a rise in the number of such attacks.

Of course, cybercriminals are happy to pounce on any topic in the news to spread malware. Another phishing campaign spotted by Check Point is taking advantage of the current Black Lives Matter movement. In one specific attack seen in early June, emails were sent out with such subject lines as “Give your opinion confidentially about Black Lives Matter,””Leave a review anon about Black Lives Matter,” or “Vote anonymous about Black Lives Matter.”

The emails contains a file attachment in the form of a Microsoft Word document named “e-vote_form_####.doc,” with the #### representing different digits. This attachment plays host to two malicious URLs, and clicking on it launches the Trickbot malware, a trojan designed to steal information from the targeted machine.

Since the pandemic started around the beginning of 2020, the number of coronavirus-related cyberattacks have gone down. Such attacks fell to 130,000 per week during the first week of June, a drop of 24% from the average number in May. But the number of overall weekly cyberattacks in June have increased by 18% from May.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see

Phishing attacks impersonate QuickBooks invoices ahead of July 15 tax deadline


Targeting the CEO and others in an organization, the attacks spotted by cybersecurity firm Darktrace were detected due to artificial intelligence.

Image: designer491, Getty Images/iStockphoto

Phishing campaigns typically use a few different tactics to compromise their victims. The initial emails usually spoof a company, brand, or product potentially used by the recipient. Often such emails pretend to come from a fellow employee or trusted external partner. Also, these emails sometimes are directed toward a specific individual within an organization, such as a C-level executive or someone with financial control. A recent phishing attack observed by Darktrace used all of those methods in an attempt to deploy malware.

SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic) 

The campaign analyzed was aimed at a cutting-edge technology company, a tempting target for cybercriminals looking for maximum profits. In the first wave, the cybercriminals spoofed QuickBooks, a product commonly being used in advance of the July 15 tax deadline. In the initial phishing email, the sender claimed to be from QuickBooks maker Intuit with the address

Image: Darktrace

The email contained a file attachment masquerading as a legitimate monthly invoice that the organization would normally receive. This attachment appeared to be a standard Microsoft Office document but one with a macro designed to infect the targeted system with malware. The attack was directed toward several employees across multiple departments in the organization who had access to confidential information.

A month later, a second attack was launched against this same organization. This time, the attacker was able to compromise the email address of an accountant to send a phishing email directly to the CEO. In this instance, the email contained a Skype voicemail message as a way to coax the CEO to enter their login credentials on a phony Skype page.

“The fact that these attacks specifically targeted the CEO and only individuals who had access to the company’s research and intellectual property shows that this was a well-planned and meticulously executed attack,” Darktrace said in its report. “The emails were highly targeted and bespoke to the individuals, spoofing platforms they were known to use. We can assume information was leveraged from social media or even previous breaches to craft these emails.”

Since the attacks were ultimately unsuccessful, Darktrace wasn’t sure of the motives behind the campaign but was able to speculate.

“Their goal with the first wave seemed to be gaining access–either via malware or compromising account credentials,” Justin Fier, director of Cyber Intelligence & Analytics for Darktrace, told TechRepublic. “Given this was a technology company with invaluable IP (intellectual property), and that the attackers targeted the CEO and others involved with research with the second wave of attacks, it is likely that they were after more than just financial information, but were instead seeking to gain access to the company’s IP.”

Though both attacks snuck past traditional security solutions, the artificial intelligence (AI) component in the cybersecurity defense from Darktrace stopped each one. AI detected that the source of the spoofed emails was an IP address in Italy, which is outside the range of addresses permitted by Intuit to send email on its behalf. Darktrace also found these attempts suspicious compared with the SPF records normally assigned to Further, the AI component determined that it would be unlikely for the exact same email to be sent to so many different recipients across different departments within the organization.

Due to the AI security feature, the attack failed to gain a foothold in the organization. But the spoofing of a common item like a QuickBooks invoice still is cause for concern.

“This attack was clearly launched by an advanced group, with the group’s ability to so closely spoof Intuit’s platform especially concerning,” Darktrace said in its report. “As we approach the extended tax deadline of July 15, the group could easily launch more attacks–spoofing TurboTax to trick countless individuals, or target additional companies with fake QuickBooks invoices.”

How can organizations and individuals best protect themselves from these types of phishing attacks?

“Traditional email security tools will block spear-phishing attacks that have been seen before, but targeted and novel campaigns are often entirely unique in their content, exploiting the latest trending topic and leveraging specific details about a company,” Fier told TechRepublic. “In the continuous cat-and-mouse game with cyber-intruders, AI is capable of making accurate judgements about which emails are legitimate. In this specific instance, AI detected that the source location of the emails and the group of recipients was highly unusual, automatically blocking these illegitimate communications from even reaching the inbox in the first place.”

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see